| VID |
21761 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The phpMyAdmin program is vulnerable to a local file include vulnerability in multiple scripts. phpMyAdmin is a tool written in PHP intended to handle the administration of MySQL over the WWW. Currently it can create and drop databases, create/drop/alter tables, delete/edit/add fields, execute any SQL statement, manage keys on fields. phpMyAdmin version 2.6.4-pl2 and earlier versions could allow a remote attacker to include arbitrary local files and to read arbitrary files on the affected host, and possibly even to execute arbitrary PHP script code in the security context of the Web server process. In addition, the installed version might be vulnerable to cross-site scripting attacks.
* References:
http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2005-5
http://secunia.com/advisories/17289/
http://archives.neohapsis.com/archives/fulldisclosure/2005-10/0478
* Platforms Affected:
Tobias Ratschiller, phpMyAdmin version 2.6.4-pl2 and earlier versions
Any operating system Any version |
| Recommendation |
Upgrade to the latest version of phpMyAdmin (2.6.4-pl3 or later), available from the phpMyAdmin Download Web page at http://www.phpmyadmin.net/home_page/downloads.php |
| Related URL |
CVE-2005-3300 (CVE) |
| Related URL |
15169,15196 (SecurityFocus) |
| Related URL |
22835 (ISS) |
|
